[PATCH 2 of 2] SSL: $ssl_encrypted_hello variable

Maxim Dounin mdounin at mdounin.ru
Tue Sep 16 22:08:59 UTC 2025 

Hello!

On Tue, Sep 09, 2025 at 02:31:42PM +0300, Maxim Dounin wrote:

> # HG changeset patch
> # User Maxim Dounin <mdounin at mdounin.ru>
> # Date 1757416233 -10800
> #      Tue Sep 09 14:10:33 2025 +0300
> # Node ID 223d802d990cf5b32517fca34da299b243f37086
> # Parent  c28c012ef2a0448356ed0d8428bb373555689c8c
> SSL: $ssl_encrypted_hello variable.
> 
> diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
> --- a/src/event/ngx_event_openssl.c
> +++ b/src/event/ngx_event_openssl.c
> @@ -5835,6 +5835,48 @@ ngx_ssl_get_early_data(ngx_connection_t 
>  
>  
>  ngx_int_t
> +ngx_ssl_get_encrypted_hello(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
> +{
> +    s->len = 0;
> +
> +#ifdef OSSL_ECH_FOR_RETRY
> +    {
> +    char  *outer, *inner;
> +
> +    /* OpenSSL */
> +
> +    outer = NULL;
> +    inner = NULL;
> +
> +    if (SSL_ech_get1_status(c->ssl->connection, &outer, &inner)
> +        == SSL_ECH_STATUS_SUCCESS)
> +    {
> +        ngx_str_set(s, "1");
> +    }
> +
> +    if (outer) {
> +        OPENSSL_free(outer);
> +    }
> +
> +    if (inner) {
> +        OPENSSL_free(inner);
> +    }
> +    }

With upcoming fixes to client certificate verification in OpenSSL 
ECH branch (https://github.com/openssl/openssl/pull/28555), this 
is adjusted as follows:

diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -5841,6 +5841,7 @@ ngx_ssl_get_encrypted_hello(ngx_connecti
 
 #ifdef OSSL_ECH_FOR_RETRY
     {
+    int    status;
     char  *outer, *inner;
 
     /* OpenSSL */
@@ -5848,8 +5849,10 @@ ngx_ssl_get_encrypted_hello(ngx_connecti
     outer = NULL;
     inner = NULL;
 
-    if (SSL_ech_get1_status(c->ssl->connection, &outer, &inner)
-        == SSL_ECH_STATUS_SUCCESS)
+    status = SSL_ech_get1_status(c->ssl->connection, &outer, &inner);
+
+    if (status == SSL_ECH_STATUS_SUCCESS
+        || status == SSL_ECH_STATUS_BAD_NAME)
     {
         ngx_str_set(s, "1");
     }

[...]

-- 
Maxim Dounin
http://mdounin.ru/

More information about the nginx-devel mailing list